15 May 20, 16:03
Quote:A fresh malware trojan has emerged, built from the same code base as the stealthy COMPFun remote access trojan (RAT). The malware is using spoofed visa applications to hit diplomatic targets in Europe and may be the work of the Turla APT.
According to researchers at Kaspersky, the fake visa application harbors code that acts as a first-stage dropper. That dropper in turn fetches the main payload, which logs the target’s location, gathers host- and network-related data, performs keylogging and takes screenshots. It also monitors USB devices and can infect them in order to spread further, and it receives commands from the command-and-control (C2) server in the form of HTTP status codes.
“In other words, it’s a normal full-fledged trojan that is also capable of propagating itself to removable devices,” researchers wrote in a Thursday analysis. “As in previous malware from the same authors…to exfiltrate the target’s data to the C2 over HTTP/HTTPS, the malware uses RSA encryption. To hide data locally, the trojan implements LZNT1 compression and one-byte XOR encryption.”
As for that “previous malware,” the code base for the new RAT is similar to a COMPFun successor known as Reductor, which Kaspersky observed last year infecting files on the fly to compromise TLS traffic. The firm attributes the new RAT to the same threat actor – which is perhaps the Turla APT.
Read more: https://threatpost.com/innovative-spy-tr...ts/155763/